b"Audit Report\n\n\n\n\nOIG-12-077\nTERRORIST FINANCING/MONEY LAUNDERING: FinCEN\xe2\x80\x99s BSA\nIT Modernization Program Is Meeting Milestones, But Oversight\nRemains Crucial\nSeptember 27, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\n\n  Results in Brief ............................................................................................ 3\n\n  Findings ..................................................................................................... 5\n\n      BSA IT Mod Program Is Generally Meeting Schedule and Cost Milestones But\n      Some Projects\xe2\x80\x99 Completion Dates Have Been Extended ............................... 5\n      FinCEN Conducted BSA IT Mod Project Performance Testing and Resolved\n      Significant Issues .................................................................................... 11\n      FinCEN Maintained Oversight of the BSA IT Mod Program ........................... 15\n\nAppendices\n\n  Appendix     1:      Objectives, Scope, and Methodology ......................................              19\n  Appendix     2:      Corrective Actions to Prior Audit Recommendations..................                    22\n  Appendix     3:      Additional Background Information on BSA IT Mod ...................                    23\n  Appendix     4:      Management Response .........................................................          27\n  Appendix     5:      Major Contributors to this Report ............................................         28\n  Appendix     6:      Report Distribution ................................................................   29\n\nAbbreviations\n\n  BSA                  Bank Secrecy Act\n  BSA Direct           BSA Direct Retrieval and Sharing\n  BSA IT Mod           BSA Information Technology Modernization Program\n  CIO                  Chief Information Officer\n  EVM                  earned value management\n  FinCEN               Financial Crimes Enforcement Network\n  H. Rept.             House Report\n  IRS                  Internal Revenue Service\n  IT                   Information Technology\n  MITRE                MITRE Corporation\n  OCIO                 Office of the Chief Information Officer\n  OIG                  Office of Inspector General\n  PMO                  Project Management Office\n  SOR                  system of record\n  TEOAF                Treasury Executive Office of Asset Forfeiture\n  WebCBRS              Web-based Currency and Banking Retrieval System\n\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight          Page i\n                       Remains Crucial (OIG-12-077)\n\x0c                                                                                        Audit\nOIG\nThe Department of the Treasury\n                                                                                        Report\nOffice of Inspector General\n\n\n\n\n                      September 27, 2012\n\n                      Jennifer Shasky Calvery, Director\n                      Financial Crimes Enforcement Network\n\n                      The Financial Crimes Enforcement Network (FinCEN)\n                      administers the Bank Secrecy Act (BSA), which established the\n                      framework to combat criminal use of the financial system. BSA\n                      requires financial institutions to report certain financial\n                      transactions made by their customers. FinCEN oversees the\n                      management, processing, storage, and dissemination of BSA\n                      data.\n\n                      In November 2006, FinCEN began a system development effort,\n                      the BSA Information Technology Modernization Program (BSA\n                      IT Mod), to improve the collection, analysis, and sharing of BSA\n                      data. The intent of the system was, among other things, to\n                      transition BSA data from the Internal Revenue Service (IRS) to\n                      FinCEN.1 BSA IT Mod is estimated to cost $120 million and is\n                      to be completed in 2014.\n\n                      Pursuant to a Congressional directive, we conducted a second\n                      in a series of audits of FinCEN\xe2\x80\x99s BSA IT Mod.2 Consistent with\n                      the Congressional directive, the objectives of the audit were to\n                      determine if FinCEN is (1) meeting cost, schedule, and\n                      performance benchmarks for the program and (2) providing\n                      appropriate oversight of contractors. The period covered by this\n                      audit is June 2011 through May 2012. We interviewed FinCEN\n\n\n1\n  Until recently, the processing, storage, and dissemination of BSA data was maintained at IRS\xe2\x80\x99s\nEnterprise Computing Center in Detroit, Michigan.\n2\n  House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including contractor\noversight and progress regarding budget and schedule, semiannually. Our first report under this\nrequirement was due March 31, 2012, and was issued on March 26, 2012.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 1\n                      Remains Crucial (OIG-12-077)\n\x0c                       program officials, Department of the Treasury Office of the\n                       Chief Information Officer (Treasury OCIO) officials, and IRS\n                       officials involved with managing and using BSA data. We\n                       interviewed representatives from Deloitte Consulting, LLP\n                       (Deloitte), and MITRE Corporation (MITRE), the contractors\n                       involved with the program. 3 We also reviewed applicable\n                       program documentation. We performed our fieldwork from\n                       March 2012 to August 2012. Appendix 1 provides a more\n                       detailed description of our audit objectives, scope, and\n                       methodology.\n\n                       In March 2012, we reported on FinCEN\xe2\x80\x99s BSA IT Mod program\n                       as of May 2011. 4 We found that the program was generally\n                       within scheduled milestones though certain projects had been\n                       delayed by more than the 10 percent of schedule. We\n                       concluded that FinCEN prepared a credible business case before\n                       beginning development of BSA IT Mod but did not report $11.2\n                       million of planning costs. We also found that FinCEN had\n                       restructured to strengthen management and oversight of the\n                       program, and the Treasury OCIO was actively overseeing BSA\n                       IT Mod.\n\n                       In the March 2012 report, we also cautioned that the\n                       successful and timely completion of BSA IT Mod was, in part,\n                       dependent on the successful completion of the system of record\n                       (SOR). The SOR is the information storage system for BSA data.\n                       FinCEN had extended the SOR\xe2\x80\x99s completion date because of\n                       complexities encountered during its development. In addition,\n                       we found that certain IRS users had expressed concerns over\n                       the potential impact to their operations as they transitioned\n                       from being a supplier of BSA data to being a receiver of BSA\n                       data. To address this, FinCEN decided to provide the data in the\n                       same format that Web-based Currency Banking and Retrieval\n                       System (WebCBRS) had been using and mapping the data\n\n3\n  FinCEN contracted with Deloitte to oversee the systems development and integration effort.\nDeloitte is the prime contractor in the BSA IT Mod effort. MITRE is a not-for-profit organization\nchartered to work in the public interest with expertise in systems engineering, information\ntechnology, operational concepts, and enterprise modernization. FinCEN engaged MITRE as a\nsubject matter expert on program and project management and BSA IT Mod business capabilities.\n4\n  Treasury Office of Inspector General (OIG), FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on\nSchedule and Within Cost, But Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047; Mar. 26, 2012).\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 2\n                       Remains Crucial (OIG-12-077)\n\x0c                        contained in the newly planned BSA forms to WebCBRS. 5 This\n                        was not part of FinCEN\xe2\x80\x99s original development plan as it was\n                        initially expected that all IRS users would transition to the new\n                        system.\n\n\nResults in Brief\n                        As of May 2012, similar to what we reported in March 2012,\n                        we found that the BSA IT Mod program was on schedule and\n                        within budgeted cost. Development of the program met all\n                        major scheduled milestones, though the planned completion\n                        dates for certain projects were extended. During the scope of\n                        this review, FinCEN became the authoritative source for BSA\n                        data when it transitioned the collection, processing, and storage\n                        of all BSA data from IRS in January 2012.\n\n                        FinCEN tested the performance of BSA IT Mod projects\n                        completed as of our review, and resolved many significant\n                        issues identified during the testing. To address previously\n                        reported concerns with the new SOR, FinCEN was able to\n                        provide BSA data from its E-Filing system in the same format\n                        IRS used. That is, it was able to successfully map the data from\n                        the new BSA forms to the legacy IRS WebCBRS system format.\n                        FinCEN tested and completed mapping to both legacy and new\n                        BSA forms. Both FinCEN and IRS signed off on the data\n                        mapping with no major concerns identified.\n\n                        While the above are notable accomplishments, potential risks\n                        still remain to the successful implementation of BSA IT Mod.\n                        One potential risk is the interdependency between the\n                        component projects. For example, changes made to one project\n                        are likely to result in changes to other projects. There is also\n                        risk in that additional costs and schedule delays could occur if\n                        project resources are reallocated and used to resolve defects,\n                        conduct additional testing, or enhance projects during\n                        development.\n\n                        FinCEN maintained oversight of the BSA IT Mod program. For\n                        example, it continued to monitor BSA IT Mod contractor\n\n5\n    WebCBRS is IRS\xe2\x80\x99s BSA data warehouse and information retrieval system.\n\n                        FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 3\n                        Remains Crucial (OIG-12-077)\n\x0c                      performance through status review meetings. However, we did\n                      identify an area of concern related to the program\xe2\x80\x99s oversight.\n                      FinCEN discontinued independent program assessments by its\n                      Project Management Office (PMO). The PMO turned its focus on\n                      providing technical assistance for BSA IT Mod\xe2\x80\x99s configuration\n                      management 6 after completing two assessments. While we did\n                      not identify any adverse impact to the BSA IT Mod program so\n                      far as a result of the PMO\xe2\x80\x99s reduced independent oversight, we\n                      plan to follow up on this area in our upcoming audits of the\n                      program. With respect to Treasury OCIO, we found that the\n                      office\xe2\x80\x99s monitoring of the program continued, primarily through\n                      reviews of FinCEN-prepared documentation of program\n                      progress.\n\n                      This audit, our second in a series, did not identify the need to\n                      make any new recommendations to FinCEN. Our first audit\n                      identified two recommendations for which corrective action has\n                      been taken. Appendix 2 provides further details on these\n                      recommendations and FinCEN\xe2\x80\x99s corrective actions.\n\n                      In its management response, FinCEN agreed with our report\n                      findings and conclusions, and emphasized among other things\n                      actions it had taken to manage the BSA IT Mod program. The\n                      FinCEN management response is provided in appendix 4. We\n                      also received comments from the Treasury Chief Information\n                      Officer\xe2\x80\x99s (CIO) provided in an email. In our draft report, we\n                      expressed concern that since our last audit, Treasury OCIO had\n                      reduced and limited its oversight activities of the BSA IT Mod\n                      program to a review of program documentation. In her\n                      comments, the CIO stated that the draft report overstated the\n                      change in oversight by her office and that she believed\n                      oversight of FinCEN\xe2\x80\x99s BSA IT Mod program in the period we\n                      reviewed was appropriate. The CIO also noted that going\n                      forward, she plans to increase the level of interaction with the\n                      bureau CIOs and take a more proactive approach to continually\n\n6\n  Configuration management is a process for establishing and maintaining consistency of a system\xe2\x80\x99s\nperformance and functional and physical attributes with its requirements, design, and operational\ninformation throughout its life. The process includes the detailed recording and updating of\ninformation that describes an enterprise's hardware and software. It allows computer technicians to\nsee what is currently installed, make a more informed decision about upgrades needed, and make\nsure any changes made to one system do not adversely affect any of the other systems.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 4\n                      Remains Crucial (OIG-12-077)\n\x0c            improve oversight. While we acknowledge the CIO\xe2\x80\x99s perspective\n            on her office\xe2\x80\x99s level of oversight, we plan to continue assessing\n            that oversight in our future audits.\n\nFinding 1   BSA IT Mod Program Is Generally Meeting Schedule\n            and Cost Milestones But Some Projects\xe2\x80\x99 Completion\n            Dates Have Been Extended\n\n            As of May 2012, we found that BSA IT Mod program was on\n            schedule and within budgeted cost. Development of the\n            program met all major scheduled milestones, though the\n            planned completion dates for certain projects were extended.\n            Also, FinCEN became the authoritative source for BSA data\n            upon transitioning the collection, processing, and storage of all\n            BSA data from IRS in January 2012.\n\n            Figure 1 provides a timeline of significant events in the BSA IT\n            Mod program.\n\n\n\n\n            FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 5\n            Remains Crucial (OIG-12-077)\n\x0cFigure 1. Timeline of Significant Events in FinCEN\xe2\x80\x99s BSA System Modernization Efforts\n\n                      January 2007 \xe2\x80\x93\n                     December 2009                    May 2010              January 2012                April 2014\n   July 2006       FinCEN developed IT                Design and      FinCEN transitioned the            Planned\n     FinCEN        governance process,               development       collection, processing,            system\n   terminated      stakeholders\xe2\x80\x99 needs,              phase started    and storage of all BSA           development\n  BSA Direct*       and business case                                       data from IRS               completion\n\n\n2006        2007           2008        2009          2010        2011         2012         2013           2014\n\n\n     November 2006                 January 2009                      June 2011            April 2013\n  FinCEN established IT                Program                         FinCEN           Planned release\n  modernization, vision             initiation and                    realigned              of last\n   and strategy and set            planning phase                     costs and         scheduled BSA\n      modernization                of BSA IT Mod                       adjusts              IT Mod\n        foundation                      started                       schedule            component\n\n\nSource: OIG review of FinCEN data.\n*FinCEN terminated BSA Direct Retrieval and Sharing (BSA Direct) after concluding the project had no\nguarantee of success. We reviewed that failure and found that FinCEN poorly managed the predecessor\nproject, insufficiently defined functional and user requirements, misjudged project complexity, and established\nan unrealistic completion date. We also found that the Treasury OCIO did not actively oversee the project, as\nrequired by the Clinger-Cohen Act of 1996. OIG, The Failed and Costly BSA Direct R&S System Development\nEffort Provides Important Lessons for FinCEN\xe2\x80\x99s BSA Modernization Program (OIG-11-057: Jan. 5, 2011).\n\n\n                          BSA IT Mod Generally Met Scheduled Milestones\n\n                          As of May 31, 2012, FinCEN met all major scheduled\n                          milestones, although the planned completion dates for certain\n                          projects had been extended. FinCEN management officials told\n                          us that the extensions were needed for further development,\n                          testing, and resolution of noted defects. Dates were also\n                          extended because resources were reallocated and used to\n                          resolve those defects and make changes to the SOR project\n                          after it was initially deployed. In this regard, because individual\n                          BSA IT Mod component projects are dependent on one another,\n                          changes to one project, such as the SOR, required programing\n                          changes to other projects. Table 1 displays the status of BSA IT\n                          Mod by project. See appendix 3 for project descriptions.\n\n\n\n\n                          FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight         Page 6\n                          Remains Crucial (OIG-12-077)\n\x0cTable 1: BSA IT Mod Schedule Status as of May 31, 2012\n                              Planned             Revised              Actual or\n                              Completion          Completion           planned           Status at\n                              Date at May         Date at June         Completion        May 31,\nProject                       20101               20112                Date3             2012\nSystem of Record (SOR)\n      Release 1               9/30/2011           12/1/2011            12/15/2011        Complete\n      Release 2               6/30/2012           7/1/2012             7/31/20126        Ongoing\nShared Filing Services\n      Release 1               9/30/2011           12/1/2011            12/15/2011        Complete\n      Release 2               6/30/2012           7/1/2012             7/1/20126         Ongoing\nThird Party Data\n      Release 1               9/30/2011           12/1/2011            12/15/2011        Complete\n      Release 2               6/30/2012           7/1/2012             7/1/20126         Ongoing\nData Conversion               12/31/2011          1/1/2012             1/6/2012          Complete\nE-Filing\n      Release 1               6/30/2011           7/1/2011             7/1/2011          Complete\n      Release 2               10/31/2011          7/1/2012             7/31/20126        Ongoing\nFinCEN Query\n      Release 1               2/28/2012           6/1/2012             6/30/2012         Ongoing\n      Release 2               9/30/2012           10/1/2012            12/1/20126        Ongoing\nAdvanced Analytics\n      Release 1               10/31/2010          10/31/2010           10/31/2010        Complete\n      Release 2               4/30/2011           4/30/2011            4/30/2011         Complete\n      Release 3               7/31/2012           9/1/2012             9/1/20126         Ongoing\n      SCIF4                   n/a                 12/1/2012            10/1/20126        Ongoing\nRegister User Portal          3/31/2011           3/31/2011            3/31/2011         Complete\nIdentity/Access\nControl Management            3/31/2011           3/31/2011            3/31/2011         Complete\nBroker Information Exchange\n     314A,B Release 1         5/31/2011           5/31/2011            5/31/2011         Complete\n     314A,B Release 2         12/31/2012          4/1/2013             4/1/20136         Ongoing\nAlerts                        9/30/2012           1/1/2013             1/1/20136         Ongoing\nBulk Data Dissemination\n      Release 1               9/30/2011           3/1/2012             4/17/2012         Complete\n      Release 2               6/30/2012           7/1/2012             7/1/20126         Ongoing\n\n\n\n\n                    FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight       Page 7\n                    Remains Crucial (OIG-12-077)\n\x0c    Table 1: BSA IT Mod Schedule Status as of May 31, 2012\n                                       Planned              Revised               Actual or\n                                       Completion           Completion            planned            Status at\n                                       Date at May          Date at June          Completion         May 31,\n    Project                            20101                20112                 Date3              2012\n    Infrastructure & Portal\n    Security Develop and Test          9/30/2010            9/30/2010            9/30/2010           Complete\n         Release 1                     3/31/2011            3/31/2011            3/31/2011           Complete\n         Release 2                     9/30/2011            9/30/2011            9/30/2011           Complete\n         Release 3                     6/30/2012            n/a5                 n/a5                n/a5\n    Source: OIG analysis of FinCEN documentation.\n    1\n      The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design\n    and development of projects after receiving Office of Management and Budget approval.\n    2\n      FinCEN submitted a baseline change request (BCR) to the Treasury CIO to adjust selected project milestone\n    schedule dates and realign costs to keep the overall program on track. The baseline change was implemented\n    in June 2011. See appendix 3 for additional information regarding the BCR.\n    3\n       Dates displayed represent the actual completion dates if the project was completed, or the planned\n    completion date as of the cutoff date of our review (May 31, 2012).\n    4\n       A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold\n    information concerning or derived from intelligence sources, methods, or analytical processes. FinCEN plans to\n    provide its SCIF with advanced analytics capability, which was not part of the initial plan.\n    5\n       Not applicable - The work planned for Infrastructure Release 3 was removed from the project and will be\n    done as part of BSA IT Mod\xe2\x80\x99s on-going operations and maintenance.\n    6\n       We plan to determine the status and report on the milestone in our next semiannual report pursuant to\n    H. Rept. 112-331.\n\n\n                            One major accomplishment for FinCEN was its completion of\n                            the SOR and successful conversion of 11 years of historical\n                            BSA data, about 850 million records, from IRS\xe2\x80\x99s WebCBRS data\n                            base into the new BSA IT Mod SOR in January 2012. 7 It was\n                            with that event that FinCEN assumed the role as the\n                            authoritative source of BSA data as it successfully transitioned\n                            the collection, processing, and storage of all BSA data from IRS.\n\n                            The SOR and data conversion projects had only small schedule\n                            extensions. The SOR\xe2\x80\x99s scheduled completion date was delayed\n                            by 2 weeks to incorporate changes and fix defects. Actual\n                            costs exceeded budgeted costs by approximately $240,000, or\n                            3 percent. The scheduled completion date for the conversion of\n\n\n\n7\n The SOR is a major project and part of a wider effort of BSA IT Mod program\xe2\x80\x99s Data Collection\nStorage and Dissemination (DCSD) effort. DCSD focused on the development of the technical\ndesign specifications for the first release of the system components to receive and store data from\nthe E-Filing system and load that BSA data to the Shared Filing Services and to SOR. Third Party\nData is also a project in DCSD. Shared Filing Services and Third Party Data experienced the same\nschedule slippage as the SOR and are also reflected in the cost increase described above.\n\n                            FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight           Page 8\n                            Remains Crucial (OIG-12-077)\n\x0c                       11 years of BSA data was extended by just under 1 week, and\n                       costs were within the project\xe2\x80\x99s budget plan.\n\n                       The completion date for release 1 of the Bulk Data\n                       Dissemination project was delayed by approximately 7 weeks\n                       because the project\xe2\x80\x99s resources were reallocated to the SOR to\n                       complete its development and resolve defects.\n\n                       The completion dates of release 2 of the SOR and release 2 of\n                       E-Filing were delayed 4 weeks. The SOR was delayed because\n                       resources intended for completing its development were\n                       reallocated to address development issues and outstanding\n                       defects in the first release of the SOR, which needed to be\n                       addressed prior to deploying FinCEN Query. 8 FinCEN program\n                       management officials told us that E-Filing was extended\n                       because of delays in awarding the contract.\n\n                       The next major BSA IT Mod milestone was the completion of\n                       FinCEN Query. FinCEN extended its completion date from\n                       June 1, 2012, to June 30, 2012, with deployment to external\n                       users delayed until enhancements requested by law\n                       enforcement were included. These enhancements were being\n                       incorporated into the schedule as the first interim milestone of\n                       release 2. FinCEN planned to complete development and start\n                       deployment in September 2012. The final milestone of release 2\n                       was scheduled for completion on December 1, 2012. FinCEN\n                       also added approximately $500,000 to the project\xe2\x80\x99s budget for\n                       increased testing. FinCEN extended the schedule completion\n                       date for FinCEN Query to incorporate changes after FinCEN\n                       made changes to the SOR.\n\n                       FinCEN plans to enhance FinCEN Query in response to law\n                       enforcement user requests. FinCEN program management\n                       officials told us that users thought FinCEN Query, in its current\n                       state, produced too many results and was too challenging to\n                       use. Approximately $400,000 was added to the planned budget\n                       to cover these enhancements. IRS agreed to support data\n                       querying through its WebCBRS until December 1, 2012, while\n                       FinCEN enhances FinCEN Query. IRS initially planned to support\n\n8\n At the time of our review, a FinCEN official stated that the cost impact to release 2 of the SOR\nwas approximately $200,000.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 9\n                       Remains Crucial (OIG-12-077)\n\x0cthat function until September 2012, when FinCEN Query was\nsupposed to become available to users.\n\nBSA IT Mod Was Within Budgeted Costs\n\nAs of May 31, 2012, FinCEN reported that it had spent\napproximately $63.7 million developing BSA IT Mod from its\noverall $120 million, 4-year plan. Not included in this amount\nwas approximately $11.2 million in program planning costs,\nwhich we addressed in our March 2012 report. In that regard,\nFinCEN\xe2\x80\x99s actual program costs incurred through May 2012\nwere approximately $75 million. A breakdown by category of\nthe actual costs incurred is provided in Table 2 below.\n\n Table 2: BSA IT Mod Costs as of May 31, 2012 (in millions)\n Category                                                    Amount\n Initial Planning                                             $11.2\n Development\n     Hardware and Software                                       9.3\n     Contractor Services                                        31.3\n     Other1                                                     10.2\n     Operations and Maintenance                                  8.5\n FTE2                                                            4.5\n Total                                                         $75.0\n Source: OIG analysis of FinCEN data.\n 1\n   Other costs are comprised of (1) program management and\n program engineering performed by Deloitte and MITRE, (2) a\n contract office fee of 4 percent for the Department of the Interior\xe2\x80\x99s\n National Business Center Acquisition Services Directorate for\n support of the BSA IT Modernization Program, and (3) a\n management reserve for potential additional work to be performed\n within the authorized work scope of the contract or to\n accommodate rate changes for future work.\n 2\n   FTE is the estimated costs associated with FinCEN employees\n working on the BSA IT Mod program.\n\n\nFinCEN was funding BSA IT Mod through $96.4 million received\nfrom both its annual appropriations and supplemental funding\nfrom the Treasury Executive Office of Asset Forfeiture (TEOAF).\nTEOAF provided funding for the BSA IT Mod Program consistent\nwith its authority to provide funds for law enforcement-related\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 10\nRemains Crucial (OIG-12-077)\n\x0c                       expenditures. 9 Table 3 below identifies the program\xe2\x80\x99s funding\n                       sources by year.\n\n                        Table 3: BSA IT Mod Funding Sources as of May 2012 (in millions)\n                        Fiscal Year        TEOAF            Appropriation                 Total\n                        2009                 $3.7                   $2.5                  $6.2\n                        2010                 11.7                   18.5                  30.2\n                        2011                 11.5                   18.5                  30.0\n                        2012                  6.5                   23.5                  30.0\n                        Total               $33.4                 $63.0                  $96.4\n                        Source: OIG analysis of FinCEN and TEOAF documentation.\n\n\nFinding 2              FinCEN Conducted BSA IT Mod Project Performance\n                       Testing and Resolved Significant Issues\n\n                       In a process referred to as government acceptance testing, 10\n                       FinCEN tested the performance of the BSA IT Mod projects\n                       completed as of our review. It also resolved issues identified\n                       during the testing.\n\n                       As shown in Table 4 below, FinCEN tested Shared Filing\n                       Services, Third Party Data, and Data Conversion. FinCEN also\n                       completed testing of data processed through E-Filing into the\n                       SOR.\n\n\n\n\n9\n  TEOAF administers the Treasury Forfeiture Fund, which is the receipt account for the deposit of\nnon-tax forfeitures made as a result of law enforcement actions by participating Treasury and\nDepartment of Homeland Security agencies. The Treasury Forfeiture Fund is established under\n31 U.S.C. \xc2\xa7 9703. The Fund can provide money to other federal entities to accomplish specific\nobjectives for which the recipient bureaus are authorized to spend money and toward other\nauthorized expenses. Distributions from this Fund in excess of $500,000 cannot be used until\nAppropriations Committees from both houses of Congress are notified. TEOAF submits its planned\nrelease of funds to Congress annually.\n10\n   Government acceptance testing is the government\xe2\x80\x99s opportunity to validate that project\nrequirements were met. It includes testing functionality, system usability, permissions and security,\ncompatibility testing, and traceability to business requirements through test script execution,\ndemonstrations and inspections. Performance and response time are also observed.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 11\n                       Remains Crucial (OIG-12-077)\n\x0cTable 4: BSA IT Mod Project Testing Status as of June 27, 2012\n                                            Completion           Total        Closed         Open\nProject                                     Date of Testing      Defects1     Defects        Defects\nDaily Processing of Data:                   12/14/2011           362          355            7\n System of Record\n       Release 1\n Third Party Data\n       Release 1\n Shared Filing Services\n       Release 1\nData Conversion                             12/14/2011           544          544            0\nE-Filing\n       Release 1                            6/7/2011             7            7              0\n       Release 2                            3/8/2012             361          301            60\nFinCEN Query\n       Release 1                            6/27/2012            1,142        931            211\nAdvanced Analytics\n       Release 1                            10/18/2010           70           66             4\n       Release 2                            4/14/2011            50           49             1\nRegister User Portal, Identity/Access\nControl Management                          3/22/2011            33           24             9\nBroker Information Exchange\n       314A Release 1                       5/26/2011            23           23             0\nSource: OIG analysis of FinCEN data.\n1\n  A defect is when the actual test results do not match the expected results. Defects are also commonly\nreferred to as bugs, issues, problems, or incidents.\n\n\n                   As shown in Table 4, the FinCEN Query testing was ongoing as\n                   of May 31, 2012, and FinCEN was actively working to resolve\n                   defects. Based on our review of sample test results, we found\n                   open defects included, for example, browser incompatibilities\n                   between different versions preventing some information from\n                   displaying. Another example of a type of open defect resulted\n                   from the way business rules were written in that there was an\n                   overlap in states and countries. For example, both the code for\n                   California and Canada is \xe2\x80\x9cCA\xe2\x80\x9d resulting in a resident of\n                   California also being displayed as a resident of Canada.\n\n                   The Infrastructure project did not undergo independent\n                   government acceptance testing. However, for the Infrastructure\n                   project, FinCEN determined that the servers, the network, and\n                   databases were operational. The Bureau of the Public Debt\n                   performed an independent third-party certification and\n\n\n\n\n                   FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight       Page 12\n                   Remains Crucial (OIG-12-077)\n\x0c                       accreditation of the infrastructure. 11 FinCEN developed a Plan of\n                       Actions and Milestones to address identified risks. 12\n\n                       Testing of the Bulk Data Dissemination project, release 1, also\n                       had not undergone government acceptance testing. Instead,\n                       FinCEN provided users with sample bulk data files to test and\n                       validate. FinCEN collected user comments and updated bulk\n                       data specifications accordingly. Government acceptance testing\n                       is planned for release 2 of the project.\n\n                       FinCEN program management officials and representatives from\n                       Deloitte and MITRE told us that all issues identified during\n                       project testing severe enough to adversely impact the program\n                       had been resolved prior to project deployment. FinCEN program\n                       management officials also told us that they knew of no defects\n                       that they considered to be \xe2\x80\x9cicebergs\xe2\x80\x9d or \xe2\x80\x9cshowstoppers,\xe2\x80\x9d or\n                       had any concerns with software performance. FinCEN program\n                       management officials told us defects remaining open after\n                       testing were considered low severity, and a process was in\n                       place to resolve the open defects.\n\n                       Defects discovered during the government acceptance testing\n                       were reviewed by FinCEN and classified into levels of severity,\n                       from 1 to 5, with 1 being the most severe (a \xe2\x80\x9cshowstopper\xe2\x80\x9d)\n                       and 5 being minimal. Level 1 and 2 defects were returned to the\n                       respective developer for correction. Prior to accepting the\n                       correction, FinCEN performed regression testing to either accept\n\n\n\n\n11\n   FinCEN has an interagency agreement with the Bureau of the Public Debt to house the BSA IT\nMod infrastructure and to perform certification and accreditation testing of the BSA IT Mod projects.\nThe certification phase includes system analysis to identify weaknesses in operating the system\nwith specified counter-measures in a particular environment, as well as an analysis of the potential\nvulnerabilities of these weaknesses. Accreditation is the formal approval by an appropriate official\nthat an automated information system is allowed to operate in a particular security mode using a\nprescribed set of safeguards and should be strongly based on the residual risks identified during\ncertification.\n12\n   A Plan of Actions and Milestones identifies tasks to be accomplished in support of certification\nand accreditation. It details resources required to accomplish the elements of the certification and\naccreditation, any milestones and dates in meeting the tasks, and scheduled completion dates for\nthe tasks.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 13\n                       Remains Crucial (OIG-12-077)\n\x0c                       or reject the correction. 13 Level 3 through 5 defects are to be\n                       resolved in future project releases. 14\n\n                       MITRE officials told us that as of the end of May 2012, all\n                       requirements and functionality that had been planned were\n                       achieved. MITRE officials also told us that they were satisfied\n                       with FinCEN\xe2\x80\x99s BSA IT Mod project and program management,\n                       and stated that FinCEN had matured in its capabilities to plan,\n                       execute, and document testing.\n\n                       FinCEN Addressed SOR Formatting Concerns\n\n                       In our March 2012 report, we reported that IRS officials were\n                       concerned about the new SOR format not being compatible\n                       with WebCBRS. To address this concern, FinCEN decided to\n                       provide BSA data from its E-filing system in the same format\n                       IRS uses and map back the data from the new BSA forms to the\n                       legacy form format in WebCBRS. 15 FinCEN completed and\n                       tested the mapping to the legacy forms in January 2012 and\n                       from the new BSA forms in March 2012. FinCEN program\n                       management officials and IRS officials told us both\n                       organizations signed off on the mapping. Additionally, in July\n                       2012, IRS\xe2\x80\x99s Assistant Chief Information Officer for Applications\n                       Development told us that no major problems had been brought\n                       to her attention.\n\n                       Risks to BSA IT Mod\xe2\x80\x99s Successful Completion\n\n                       Although FinCEN management has dedicated itself to the\n                       success of BSA IT Mod and to date has demonstrated good\n                       leadership and commitment to the program, successful\n                       completion is not without risk. A continuing risk concerns the\n                       program\xe2\x80\x99s high-level of dependency between the component\n\n13\n   Regression testing consists of rerunning the tests against the modified software code to\ndetermine whether the changes created adverse effects to prior working software code.\n14\n   A priority 3 (major) defect limits functionality but an acceptable workaround exists. Resolution of\na priority 4 (minor) defect can be delayed without impacting testing efforts. A priority 5 (minimal)\ndefect involves a requested enhancement to a project.\n15\n   On March 29, 2012, FinCEN released and began to accept a new Currency Transaction Report\nform and a new Suspicious Activity Report form into FinCEN's BSA E-Filing System. FinCEN also\nreleased the new Registration of Money Services Businesses and Designation of Exempt Person\nforms.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 14\n                       Remains Crucial (OIG-12-077)\n\x0c                       projects and the close coordination required as a result.\n                       Programing changes to one project, such as the SOR, require\n                       programing changes to other projects. Additionally, other\n                       project schedules could be impacted if resolving defects or\n                       development takes longer than planned, or if resources need to\n                       be reallocated to resolve issues as they are identified. In this\n                       regard, FinCEN project management must continue to closely\n                       monitor the projects.\n\nFinding 3              FinCEN Maintained Oversight of the BSA IT Mod\n                       Program\n\n                       In our March 2012 report, we reported that FinCEN restructured\n                       to strengthen management and oversight of the BSA IT Mod\n                       program. Overall, management and oversight remained strong\n                       during the scope of this review. We also reported in March\n                       2012 that Treasury OCIO had been actively involved overseeing\n                       BSA IT Mod during the program\xe2\x80\x99s initial planning and early\n                       development phases. Since then, we found that Treasury\n                       OCIO\xe2\x80\x99s oversight was primarily accomplished through a review\n                       of FinCEN-prepared program documentation.\n\n                       Several Parties Exercise Oversight of the Program\n\n                       Deloitte provided FinCEN with monthly BSA IT Mod program\n                       management reviews. The monthly reviews focused on the\n                       program status using earned value management (EVM) and\n                       provided a forum for a comprehensive program overview,\n                       including risks and mitigation plans. 16 MITRE officials told us\n                       that to date FinCEN handled the program in an acceptable\n                       manner and MITRE had no significant concerns. Additionally,\n                       overall the program has stayed within cost and met scheduled\n                       targets.\n\n\n\n16\n  EVM measures the value of work accomplished in a given period. Differences in these values are\nmeasured in both cost and schedule variances. Explanations must be provided for variances of 10\npercent and are subject to corrective action plans, baseline change requests, or termination. The use\nof EVM satisfies Office of Management and Budget requirements on programs classified as major\nacquisitions as well IT projects. FinCEN contracted with MITRE to provide an independent validation\nto ensure the accuracy of EVM data.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 15\n                       Remains Crucial (OIG-12-077)\n\x0c                      Since the period covered by our March 2012 report, we found\n                      that FinCEN\xe2\x80\x99s PMO changed its oversight regime for BSA IT\n                      Mod. 17 Specifically, we found that the PMO no longer\n                      conducted formal documented independent assessments on\n                      BSA IT Mod. 18 Instead, the PMO changed its focus to providing\n                      technical assistance on BSA IT Mod configuration management.\n                      The PMO\xe2\x80\x99s change in focus occurred after its assessment in\n                      March 2011. That assessment found, among other things,\n                      weaknesses in the program\xe2\x80\x99s configuration management. The\n                      PMO concluded that configuration management was key to\n                      keeping development of the SOR and other projects aligned. It\n                      should be noted that PMO officials told us that assessments\n                      were no longer considered necessary because of the strong\n                      management of the BSA IT Mod program.\n\n                      FinCEN\xe2\x80\x99s BSA IT Mod program management plan states that the\n                      BSA IT Mod program is subject to reviews from the PMO. As it\n                      pertains to BSA IT Mod, the PMO is to perform scheduled and\n                      ad hoc process reviews and assessments on the program and\n                      its projects. We believe that although the PMO did not perform\n                      assessments after March 2011, its continued configuration\n                      management technical assistance was necessary in controlling\n                      risk associated with the program.\n\n                      Treasury OCIO\xe2\x80\x99s Oversight\n\n                      In our March 2012 report, we reported that Treasury OCIO had\n                      been actively involved overseeing BSA IT Mod. At the time,\n                      OCIO\xe2\x80\x99s involvement was evident during the initial planning and\n                      early development phases. During the period covered by our\n                      review, Treasury OCIO officials told us that the office reviewed\n                      program documentation, including performance plans, cost\n                      submissions, and schedule and performance reporting; the\n                      officials characterized the reviews as being at the \xe2\x80\x9cmacro-level.\xe2\x80\x9d\n                      OCIO officials also told us that OCIO representatives have not\n\n17\n   The PMO is charged with ensuring that FinCEN projects are compliant with project management\nstandards and processes. The office performed process reviews and assessments on bureau-specific\nprojects, including BSA IT Mod program.\n18\n   The PMO conducted two assessments which produced a number of recommendations aimed at\nimproving the project\xe2\x80\x99s management processes mainly in the areas of quality, scheduling,\nrequirements, and change management. The last report issued was March 2011.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 16\n                      Remains Crucial (OIG-12-077)\n\x0cattended FinCEN\xe2\x80\x99s BSA IT Mod monthly program status\nmeetings for some time. In this regard, we were told that the\nOCIO desk officer assigned to the BSA IT Mod program could\nnot attend all the monthly meetings because the office did not\nhave the resources to send staff to every meeting. The assigned\nOCIO desk officer stated that he contacted FinCEN\xe2\x80\x99s program\nmanager whenever there were questions concerning FinCEN\xe2\x80\x99s\nmonthly reporting submissions. OCIO officials told us that they\nhad no reason to question the BSA IT Mod program data\nbecause FinCEN has been reporting results and the program has\nbeen performing very well.\n\nThe Treasury CIO is a member of both the BSA IT Mod\nModernization Executive Group and Executive Steering\nCommittee, which was to meet on a quarterly basis or when a\nmajor decision or approval was sought. While neither group had\nformally met, face-to-face, in the 6 months prior to May 31,\n2012, FinCEN communicated with these groups via emails\nabout the BSA IT Mod program confirming, among other things,\nthe map-back to WebCBRS consistent with the recommendation\nin our previous audit report. In addition, FinCEN provided the\nTreasury CIO with an update briefing in May 2012.\n\nLooking forward, the Treasury CIO told us that the Treasury\nOCIO was working to strengthen the analytical skills of its desk\nofficers. The office also planned to increase the level of\ninteraction with bureau CIOs by instituting quarterly investment\nstatus meetings rather than annual investment reviews.\n\nFor the period covered by our review, we did not identify any\nadverse impact to the BSA IT Mod program by the reduced\nindependent oversight by the FinCEN PMO or the oversight by\nthe Treasury OCIO. That said, we plan to continue to review the\nprogram oversight exercised in our future audits of the program.\n\n                                 ******\n\nWe appreciate the cooperation and courtesies extended to our\nstaff during the audit. If you wish to discuss the report, you\nmay contact me at (617) 223-8640 or, Audit Manager Mark\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 17\nRemains Crucial (OIG-12-077)\n\x0cOssinger, at (617) 223-8643. Major contributors to this report\nare listed in appendix 5.\n\n\n/s/\nSharon Torosian\nAudit Director\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 18\nRemains Crucial (OIG-12-077)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThis is the second in a series of audits of the Financial Crimes\nEnforcement Network's (FinCEN) Bank Secrecy Act (BSA)\nInformation Technology Modernization Program (BSA IT Mod). Our\nobjective was to determine if FinCEN is (1) meeting cost, schedule,\nand performance for this program and (2) providing appropriate\noversight of contractors. For this second audit, we determined the\nstatus of the program\xe2\x80\x99s cost, schedule, and performance through\nMay 31, 2012.\n\nTo accomplish our objective, we interviewed a variety of officials,\nincluding FinCEN program officials, Department of the Treasury\n(Treasury) Office of Chief Information Officer (OCIO) officials,\nInternal Revenue Service (IRS) officials involved with using BSA\ndata. We also reviewed applicable program documentation and\ntesting procedures. We performed our fieldwork from March 2012\nto August 2012.\n\nAt FinCEN, officials we interviewed included the following:\n\n\xe2\x80\xa2   The Chief Information Officer (CIO) and the BSA IT Mod\n    program manager to obtain an update on the BSA IT Mod, a\n    perspective on each individual\xe2\x80\x99s knowledge and level of\n    involvement, cost and schedule concerns, and overall progress\n    of the program.\n\n\xe2\x80\xa2   The Chief Technology Officer to obtain his perspective, level of\n    involvement, schedule and performance concerns, and overall\n    progress of the program.\n\n\xe2\x80\xa2   The Deputy Chief Financial Officer and lead budget analyst to\n    gain an update of the cost and funding for the BSA IT Mod.\n\n\xe2\x80\xa2   The Assistant Director and the lead assessor of FinCEN\xe2\x80\x99s\n    Project Management Office to discuss their assessments of the\n    program\xe2\x80\x99s practices.\n\n\xe2\x80\xa2   The project managers, project leaders, and contracting officer\n    technical representatives responsible for each BSA IT Mod\n    project release to obtain an understanding of their perspective,\n    level of involvement, schedule and performance concerns, and\n    overall progress of their respective project.\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 19\nRemains Crucial (OIG-12-077)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nExternal to FinCEN, we interviewed the following officials.\n\n\xe2\x80\xa2   Deloitte LLP\xe2\x80\x99s managing director and Deloitte\xe2\x80\x99s program\n    manager for BSA IT Mod at the contractor\xe2\x80\x99s office in Rosslyn,\n    Virginia, to obtain an update on their perspective of the BSA IT\n    Mod and ascertain the program\xe2\x80\x99s status.\n\n\xe2\x80\xa2   MITRE representatives in McLean, Virginia, to obtain an update\n    of MITRE\xe2\x80\x99s role as the federally funded research and\n    development contractor, its level of involvement with the\n    program, as well as issues, any concerns, and other significant\n    matters observed.\n\n\xe2\x80\xa2   The Treasury CIO, the Treasury OCIO Associate Director of\n    Information Technology Capital Planning, and the Treasury\n    OCIO desk officer assigned to the BSA IT Mod program to gain\n    an update on their roles in overseeing BSA IT Mod, as well as\n    issues, any concerns, and other significant matters.\n\n\xe2\x80\xa2   IRS officials in Detroit, Michigan. We spoke with officials from\n    IRS\xe2\x80\x99s Small Business/Self-Employed Unit, Modernization,\n    Information Technology and Security Services Division, and\n    Criminal Investigation Division to gain an update on their\n    perspective and any concerns as future users of FinCEN\xe2\x80\x99s\n    modernized system.\n\n\xe2\x80\xa2   IRS\xe2\x80\x99s Associate CIO, Applications Development Group, to obtain\n    an update of her role with BSA IT Mod, coordination between\n    IRS and FinCEN, and any concerns regarding the program.\n\nWe reviewed program-related information that FinCEN provided to\nus, including management reports; minutes from executive,\nmanagement, and technical meetings; planning documentation;\nprogram and project level documentation; and various FINCEN\npresentations.\n\nWe reviewed program management briefings and status reports,\ninternal and external program performance assessment reports, and\nrelated documentation to assess program performance status,\nrisks, and issues.\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 20\nRemains Crucial (OIG-12-077)\n\x0c                        Appendix 1\n                        Objectives, Scope, and Methodology\n\n\n\n\n                        We substantiated through a review of documentation that testing\n                        was performed. We reviewed project testing results in FinCEN\xe2\x80\x99s\n                        issue and project management software used to track defects and\n                        issues found during testing. We randomly selected test cases to\n                        determine if testing had been performed and defects were resolved\n                        or closed. 19 We observed actual testing performed of two test\n                        cases, and corresponding entries to the issue and project\n                        management software.\n\n                        We conducted this performance audit in accordance with generally\n                        accepted government auditing standards. Those standards require\n                        that we plan and perform the audit to obtain sufficient, appropriate\n                        evidence to provide a reasonable basis for our findings and\n                        conclusions based on our audit objectives. We believe that the\n                        evidence obtained provides a reasonable basis for our findings and\n                        conclusions based on our audit objectives.\n\n\n\n\n19\n  A test case is a scenario made up of a sequence of steps and conditions or variables, where test\ninputs are provided and the program is run using those inputs, to see how it performs. An expected\nresult is outlined and the actual result is compared to it. Certain working conditions are also present in\nthe test case, to see how the program handles the conditions.\n\n\n                        FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 21\n                        Remains Crucial (OIG-12-077)\n\x0c                       Appendix 2\n                       Corrective Actions to Prior Audit Recommendations\n\n\n\n\n                       The status of the two audit recommendations in our prior report on\n                       the Bank Secrecy Act (BSA) Information Technology Modernization\n                       Program are presented in Table 5 below.\n\nTable 5: Corrective Actions on Prior Audit Recommendations\nRecommendation                       FinCEN Corrective Actions\nIn conjunction with IRS, ensure      The Financial Crimes Enforcement Network (FinCEN), in the short\nin the short term that IRS\xe2\x80\x99s         term, will provide Bank Secrecy Act (BSA) data to the Internal\nWebCBRS data needs are met           Revenue Service\xe2\x80\x99s (IRS) Web-based Currency and Banking\nand; in the long term, assist IRS    Retrieval System (WebCBRS) via the current E-Filing system and\nto ensure data requirements are      formats. In support of the longer-term goal, FinCEN was asked to\nincorporated into IRS\xe2\x80\x99s              participate on the IRS\xe2\x80\x99s Integrated Project Team to define the IRS\nmodernization efforts.               BSA data end-state solution. FinCEN\xe2\x80\x99s involvement on the team\n                                     includes providing the technical specifications for bulk data\n                                     distribution, answering questions related to new BSA data\n                                     structures, and providing support as requested.\n\n                                     FinCEN closed the short term action on March 28, 2012. The BSA\n                                     Information Technology (IT) Modernization Executive Group\n                                     consisting of the FinCEN Director, Treasury Chief Information\n                                     Officer, and IRS Deputy Commissioner for Operations and\n                                     Maintenance, approved the mapping back of new Suspicious\n                                     Activity Report (SAR) and Currency Transaction Report (CTR) data\n                                     from FinCEN\xe2\x80\x99s E-Filing system to WebCBRS in the legacy format.\n                                     Subsequently, on March 29, 2012, FinCEN released the new SAR\n                                     and CTR reports to the filing institutions for submission. We\n                                     confirmed during our second audit that FinCEN was able to provide\n                                     BSA data from its E-Filing system in the same format IRS used.\n                                     The long term action is considered closed by FinCEN with its\n                                     ongoing participation on IRS's Integrated Project Team.\nEnsure that, for future major        FinCEN responded to the audit recommendation that it did not have\ncapital investments, required        a future major capital investment planned. However, when such a\nsubmissions to OMB include full      time comes, FinCEN will ensure that required submissions to Office\nlife-cycle cost estimates in         of Management and Budget (OMB) comply with OMB\xe2\x80\x99s Circular A-\naccordance with OMB Circular         11 and that required documentation supporting costs estimates are\nA\xe2\x80\x9311 and that thorough               maintained. FinCEN closed the action on April 10, 2012.\ndocumentation supporting\nestimates is maintained.             FinCEN's commitment to ensure future compliance and maintain\n                                     supporting documentation met the intent of the audit\n                                     recommendation.\nSource: Treasury Office of Inspector General (OIG), FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and\nWithin Cost But Requires Continued Attention to Ensure Successful Completion (OIG-12-047; Mar. 26, 2012).\nOIG obtained the status of the recommendations through Treasury\xe2\x80\x99s Joint Audit Management Enterprise System\n(JAMES).\n\n\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight     Page 22\n                       Remains Crucial (OIG-12-077)\n\x0cAppendix 3\nAdditional Background Information on BSA IT Mod\n\n\nBaseline Change of the Bank Secrecy Act Information Technology\nModernization Program (BSA IT Mod)\n\nOur first audit found the Financial Crimes Enforcement Network\n(FinCEN) was reporting that as of May 2011, the 4-year, $120\nmillion, BSA IT Mod was on schedule and within an acceptable 10\npercent cost threshold. At that time, we found the program to be\ngenerally within scheduled milestones, though certain projects had\nexceeded scheduled milestones by 10 percent.\n\nIn June 2011, FinCEN adjusted selected project milestone schedule\ndates and realigned costs to keep the overall program on track. The\nbaseline change resulted in no increase to overall costs and no\nextension to the 4-year program schedule. However, a major\nadjustment was made to the Contractor Services budget, which\nwas increased by approximately $12.7 million dollars or 37\npercent. This budget increase was offset by a reduction to the\nbudgets for Other and Operations and Maintenance costs. Table 1\ndisplays the impact the baseline change had on the major program\nelements.\n\nTable 1: BSA IT Mod Program Baseline Change Comparison (in millions)\n                                  May 2010             June 2011\nElement                           Initial Plan   Baseline Change        Change\nHardware and Software                  $16.8               $16.8            $0\nContractor Services                      34.2               46.9          12.7\nOther                                    22.7               19.3          (3.4)\nOperations and Maintenance               46.9               37.6          (9.3)\nTotal                                 $120.6              $120.6            $0\nSource: OIG review of FinCEN data. FTEs are not included in the above cost\nestimates.\n\nContractor Services was increased to provide additional iterations\nto the building and testing of the system of record (SOR) and other\nprojects that had to be changed because of the changes to the\nSOR. Increased data conversion testing was required because of\nthe volume and complexity of the data and business rules, and to\nensure that the integration, system performance, and data integrity\nwas correct.\n\nBSA IT Mod Program has Multiple Projects\n\nThe BSA IT Mod program is made up of multiple projects with\nspecific components. The projects are summarized below.\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight    Page 23\nRemains Crucial (OIG-12-077)\n\x0cAppendix 3\nAdditional Background Information on BSA IT Mod\n\n\n\n\n\xe2\x80\xa2   BSA Data System of Record/Data Dissemination/Third Party\n    Data \xe2\x80\x94 Implements the data storage and architecture for all\n    BSA-related data. Implements the distribution of large quantities\n    of BSA data to external consumers.\n\n\xe2\x80\xa2   Shared Filing Services \xe2\x80\x94 Assists in the validation of BSA data\n    based on external data sources, such as validating addresses\n    with the U.S. Postal Service.\n\n\xe2\x80\xa2   Data Conversion \xe2\x80\x94 Completes the conversion of 11 years of\n    BSA data from the legacy system to the new SOR.\n\n\xe2\x80\xa2   BSA E-Filing \xe2\x80\x94 Is the system by which BSA filers will submit all\n    required documentation to FinCEN.\n\n\xe2\x80\xa2   FinCEN Query \xe2\x80\x94 Implements a tool designed to improve\n    authorized users\xe2\x80\x99 ability to access and analyze BSA data. The\n    tool will be used by FinCEN internal users and by registered\n    external users and customers to retrieve and analyze BSA data.\n    The tool is to support traditional structured BSA data queries,\n    and provide narrative search capabilities and options to\n    coordinate and collaborate with users on queries performed.\n\n\xe2\x80\xa2   Advanced Analytics \xe2\x80\x94 Implements complex search and retrieval\n    functionality required by internal and external users to support\n    analytical, law enforcement, and regulatory activities. Provides\n    advanced analytical capabilities such as geospatial, statistical\n    analysis, social networking, semantic interchange, and\n    visualization capabilities.\n\n\xe2\x80\xa2   Register User Portal/Identity Management/Access Control\n    Management \xe2\x80\x94 Provides a common user interface and\n    authentication process through which authorized users will gain\n    access to all future BSA IT Mod applications. Registered users\n    will include both internal and external customers.\n\n\xe2\x80\xa2   Broker Knowledge Exchange \xe2\x80\x94 Provides content management\n    and collaboration support for internal and external stakeholder\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 24\nRemains Crucial (OIG-12-077)\n\x0c                       Appendix 3\n                       Additional Background Information on BSA IT Mod\n\n\n                           communities. 314A allows law enforcement agencies to submit\n                           requests through FinCEN to financial institutions for information\n                           about financial accounts and transactions of persons or\n                           businesses that may be involved in terrorism or money\n                           laundering. 314 B allows financial institutions to share\n                           information with one another through FinCEN to identify and\n                           report suspicious money laundering or terrorist activities to the\n                           federal government.\n\n                       \xe2\x80\xa2   Alerts - Provides the ability to automatically alert analysts to\n                           any suspicious activity based on pre-defined criteria.\n\n                       \xe2\x80\xa2   Infrastructure \xe2\x80\x94 Provides the design, development,\n                           procurement, and implementation of the development and test\n                           environments, storage area network(s), and disaster recovery\n                           capabilities required to support the other BSA IT Mod projects.\n\n                       Contractors Engaged by FinCEN\n\n                       In March 2008, FinCEN awarded a 5-year indefinite delivery,\n                       indefinite quantity (IDIQ) contract to BearingPoint, Inc., in\n                       connection with the BSA IT Mod. 20 The contract was subsequently\n                       transferred to Deloitte Consulting, LLP (Deloitte). 21 The contract\n                       ceiling is a maximum of $144 million and a minimum of $1 million\n                       over the contract\xe2\x80\x99s 5-year life. The contractor is to support\n                       FinCEN\xe2\x80\x99s Technology Solutions and Services Division by providing\n                       a full range of information technology services, custom\n                       applications, maintenance support, and infrastructure support\n                       necessary to implement the FinCEN IT operational objectives that\n                       will evolve over the course of the contract. Numerous program-\n                       related task orders associated with the contract are to be issued\n                       during the 5-year contract period, which includes BSA IT Mod.\n                       FinCEN also contracted with MITRE Corporation (MITRE) to provide\n\n20\n   An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. This\ntype of contract is used when it cannot be predetermined, above a specified minimum, the precise\nquantities of supplies or services that the government will require during the contract period. IDIQ\ncontracts are most often used for service contracts and architect-engineering services. An IDIQ contract\nis flexible, especially when not all the requirements are known at the start of a contract and is\nconducive to a modular approach, which would be one with phases or milestones.\n21\n   The IDIQ contract was transferred from BearingPoint, Inc., to Deloitte Consulting, LLP on October 1,\n2009 after Deloitte Consulting, LLP, purchased substantially all of the assets of Bearing Point, Inc.,\nPublic Service Division.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 25\n                       Remains Crucial (OIG-12-077)\n\x0c                      Appendix 3\n                      Additional Background Information on BSA IT Mod\n\n\n                      management guidance, coordination, and evaluation support for\n                      BSA IT Mod. 22 MITRE is a subject matter expert on program and\n                      project management, and BSA IT Mod business capabilities.\n\n                      FinCEN is using the Acquisitions Services Directorate of the U.S.\n                      Department of the Interior as the contract office to administer the\n                      contract. FinCEN chose this office because of its prior experience\n                      handling large, complex procurements.\n\n\n\n\n22\n  MITRE is a not-for-profit organization chartered to work in the public interest with expertise in\nsystems engineering, information technology, operational concepts, and enterprise modernization.\nAmong other things, it manages federally funded research and development centers, including one for\nIRS and U.S. Department of Veterans Affairs (the Center for Enterprise Modernization). Under\nTreasury\xe2\x80\x99s existing contract with MITRE, Treasury and its bureaus, with permission of the IRS sponsor,\nmay contract for support in the following task areas: strategic management, technical management,\nprogram and project management, procurement, and evaluation and audit to facilitate the modernization\nof systems and their business and technical operation.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 26\n                      Remains Crucial (OIG-12-077)\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 27\nRemains Crucial (OIG-12-077)\n\x0cAppendix 5\nMajor Contributors to this Report\n\n\n\n\nBoston Office\n\nMark Ossinger, Audit Manager\nKenneth O\xe2\x80\x99Loughlin, Auditor-in-Charge\nAlex Taubinger, Auditor\n\nWashington, D.C.\n\nFarbod Fakhrai, Referencer\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 28\nRemains Crucial (OIG-12-077)\n\x0cAppendix 6\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n    Deputy Secretary\n    Under Secretary for Terrorism and Financial Intelligence\n    Chief Information Officer\n    Office of Strategic Planning and Performance Management\n    Office of the Deputy Chief Financial Officer, Risk and Control\n        Group\n\nFinancial Crimes Enforcement Network\n\n    Director\n\n\nOffice of Management and Budget\n\n    OIG Budget Examiner\n\nU.S. Senate\n\n    Chairman and Ranking Member\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\nU.S. House of Representatives\n\n    Chairman and Ranking Member\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting Milestones, But Oversight   Page 29\nRemains Crucial (OIG-12-077)\n\x0c"